Discussion:
SELinux Namespace on bind mounted files
Zvonko Kosic
2018-03-08 10:55:03 UTC
Permalink
I've seen the presentation by James Morrison about namespacing SELinux and
I have a question regarding a special case we have in our environment.

We have third party prestart runtime hooks for docker which bind mount
files from the host into the container image, which have the wrong label.

To change the SELinux labels on the host is not an option because
it breaks stuff on the host.

Wil the SELinux namespacing work on files that are bind mounted?


Thanks & Regards,
Zvonko Kosic
Stephen Smalley
2018-03-08 13:20:23 UTC
Permalink
I've seen the presentation by James Morrison about  namespacing SELinux and I have a question regarding a special case we have in our environment. 
We have third party prestart runtime hooks for docker which bind mount
files from the host into the container image, which have the wrong label. 
To change the SELinux labels on the host is not an option because
it breaks stuff on the host. 
Wil the SELinux namespacing work on files that are bind mounted?
I believe the answer is yes, since my patches support per-namespace in-core inode SIDs and James' additional patches support per-namespace on-disk xattrs (so the bind-mounted files can have two distinct labels, one of which will be presented to processes in the root/init namespace and the other to processes within the child namespace). That said, this is all very much work in progress.
Daniel Walsh
2018-03-08 13:23:33 UTC
Permalink
Post by Stephen Smalley
I've seen the presentation by James Morrison about  namespacing SELinux and I have a question regarding a special case we have in our environment.
We have third party prestart runtime hooks for docker which bind mount
files from the host into the container image, which have the wrong label.
To change the SELinux labels on the host is not an option because
it breaks stuff on the host.
Wil the SELinux namespacing work on files that are bind mounted?
I believe the answer is yes, since my patches support per-namespace in-core inode SIDs and James' additional patches support per-namespace on-disk xattrs (so the bind-mounted files can have two distinct labels, one of which will be presented to processes in the root/init namespace and the other to processes within the child namespace). That said, this is all very much work in progress.
I am not a big fan of Namespaced SELinux.  I think it complicates things
and will confuse people.  I would think a better solution would be to
run your container with a different type so that you could allow access
t othese file types.

It would be a lot easier to create a type based on container-selinux
policy and just run your container with it.


podman run -ti --security-opt label=type:mycontianer_t -v /SRC:/DEST IMAGE

Or if  you must

docker run -ti --security-opt label=type:mycontianer_t -v /SRC:/DEST IMAGE
James Morris
2018-03-08 21:59:26 UTC
Permalink
I am not a big fan of Namespaced SELinux.  I think it complicates things and
will confuse people.  I would think a better solution would be to run your
container with a different type so that you could allow access t othese file
types.
It would be a lot easier to create a type based on container-selinux policy
and just run your container with it.
podman run -ti --security-opt label=type:mycontianer_t -v /SRC:/DEST IMAGE
Or if  you must
docker run -ti --security-opt label=type:mycontianer_t -v /SRC:/DEST IMAGE
I think it depends on your use-case. If you want an OS-like privileged
container, then the current solution of having SELinux appear disabled in
the container is inadequate for many users. It is also trivially possible
to access and modify global SELinux state from there.
--
James Morris
<***@namei.org>
Loading...